data/reports: add GO-2023-1882.yaml

jba · jba · commit 5ab38433e1e3 · 2023-07-06T20:13:13.000Z
Aliases: CVE-2023-34450 Fixes #1882 Change-Id: I75b725165c45e89f6ccd90cc1bc4cb96d2ee1e07 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/507903 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Jonathan Amsterdam <jba@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/osv/GO-2023-1882.json b/data/osv/GO-2023-1882.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2023-1882",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2023-34450",
+    "GHSA-mvj3-qrqh-cjvr"
+  ],
+  "summary": "Deadlock in github.com/cometbft/cometbft/consensus",
+  "details": "An internal modification to the way PeerState is serialized to JSON introduced a deadlock when the new function MarshalJSON is called.\n\nThis function can be called in two ways. The first is via logs, by setting the consensus logging module to \"debug\" level (which should not happen in production), and setting the log output format to JSON. The second is via RPC dump_consensus_state.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/cometbft/cometbft",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0.37.1"
+            },
+            {
+              "fixed": "0.37.2"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/cometbft/cometbft/consensus",
+            "symbols": [
+              "PeerState.MarshalJSON"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/cometbft/cometbft/security/advisories/GHSA-mvj3-qrqh-cjvr"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cometbft/cometbft/pull/524"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cometbft/cometbft/pull/863"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cometbft/cometbft/pull/865"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2023-1882"
+  }
+}
diff --git a/data/reports/GO-2023-1882.yaml b/data/reports/GO-2023-1882.yaml
@@ -0,0 +1,29 @@
+id: GO-2023-1882
+modules:
+    - module: github.com/cometbft/cometbft
+      versions:
+        - introduced: 0.37.1
+          fixed: 0.37.2
+      vulnerable_at: 0.37.1
+      packages:
+        - package: github.com/cometbft/cometbft/consensus
+          symbols:
+            - PeerState.MarshalJSON
+summary: Deadlock in github.com/cometbft/cometbft/consensus
+description: |-
+    An internal modification to the way PeerState is serialized to JSON introduced
+    a deadlock when the new function MarshalJSON is called.
+
+    This function can be called in two ways. The first is via logs, by setting
+    the consensus logging module to "debug" level (which should not happen in
+    production), and setting the log output format to JSON. The second is via
+    RPC dump_consensus_state.
+cves:
+    - CVE-2023-34450
+ghsas:
+    - GHSA-mvj3-qrqh-cjvr
+references:
+    - advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-mvj3-qrqh-cjvr
+    - fix: https://github.com/cometbft/cometbft/pull/524
+    - fix: https://github.com/cometbft/cometbft/pull/863
+    - fix: https://github.com/cometbft/cometbft/pull/865
